Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2249470

Summary: [RHOSP 17.1.1] There should be wrong default configuration in file "15-horizon_ssl_vhost.conf"
Product: Red Hat OpenStack Reporter: XinhuaLi <xili>
Component: puppet-horizonAssignee: OSP Team <rhos-maint>
Status: CLOSED DUPLICATE QA Contact: ikanias
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 17.1 (Wallaby)CC: jjoyce, jschluet, rdopiera, slinaber, tvignaud
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-14 15:32:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description XinhuaLi 2023-11-13 10:03:03 UTC 
Description of problem:
After deployment RHOSP 17.1.1 with RH IDM to provide TLS-e , we found that dashbaord cannot login and 503 error shown.

We are assuming that this is the wrong default configuration at "/var/lib/config-data/puppet-generated/horizon/etc/httpd/conf.d/15-horizon_ssl_vhost.conf"

We should remove / comment "SSLVerifyClient         require" this line.
So please help to consider if this is bug 

Version-Release number of selected component (if applicable):
RHOSP 17.1.1 

How reproducible:
Deploy RHOSP 17.1.1 and IDM to provide TLS-e

Steps to Reproduce:
1. Access dashboard and you will see 503 error
2.
3.

Actual results:
[root@overcloud-controller-2 horizon]# cat error_log.1
[Mon Nov 13 14:39:22.188371 2023] [mpm_prefork:notice] [pid 2:tid 2] AH00169: caught SIGTERM, shutting down
[Mon Nov 13 14:39:23.196897 2023] [mpm_prefork:notice] [pid 2:tid 2] AH00163: Apache/2.4.53 (Red Hat Enterprise Linux) OpenSSL/3.0.7 mod_wsgi/4.7.1 Python/3.9 configured -- resuming normal operations
[Mon Nov 13 14:39:23.196957 2023] [core:notice] [pid 2:tid 2] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[root@overcloud-controller-2 horizon]# cat horizon_ssl_error.log.1
[Mon Nov 13 14:52:39.636113 2023] [ssl:error] [pid 56:tid 56] [client 192.13.1.22:59386] AH02040: Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1)
[root@overcloud-controller-2 horizon]# cat horizon_ssl_access.log.1
192.13.1.22 - - [10/Nov/2023:16:48:03 +0800] "GET / HTTP/1.0" 400 362 "-" "-"
192.13.1.22 - - [10/Nov/2023:16:48:59 +0800] "GET / HTTP/1.0" 400 362 "-" "-"
192.13.1.22 - - [10/Nov/2023:16:52:18 +0800] "GET / HTTP/1.0" 400 362 "-" "-"
192.13.1.22 - - [10/Nov/2023:16:52:54 +0800] "GET / HTTP/1.0" 400 362 "-" "-"

[root@overcloud-controller-3 ~]# curl -v  https://overcloud.rhosp-mvno.openlab.com
*   Trying 192.13.3.30:443...
* Connected to overcloud.rhosp-mvno.openlab.com (192.13.3.30) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=RHOSP-MVNO.OPENLAB.COM; CN=overcloud.rhosp-mvno.openlab.com
*  start date: Nov  8 08:10:47 2023 GMT
*  expire date: Oct 20 10:53:30 2043 GMT
*  subjectAltName: host "overcloud.rhosp-mvno.openlab.com" matched cert's "overcloud.rhosp-mvno.openlab.com"
*  issuer: O=RHOSP-MVNO.OPENLAB.COM; CN=Certificate Authority
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET / HTTP/1.1
> Host: overcloud.rhosp-mvno.openlab.com
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< content-length: 107
< cache-control: no-cache
< content-type: text/html
<
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* Connection #0 to host overcloud.rhosp-mvno.openlab.com left intact


Expected results:
No error

Additional info:
Comment 1 Radomir Dopieralski 2023-11-14 15:32:52 UTC 

*** This bug has been marked as a duplicate of bug 2193388 ***